Malware Tricks 400K Windows PCs Into Mining Cryptocurrency

The malicious program was stopped by Microsoft's Windows Defender antivirus software. Redmond is blaming a Trojan dubbed Dofoil.

By Michael Kan

8 Mar 2018, 9:14 p.m.

Over 400,000 Windows machines, mainly in Russia, faced a nasty surprise this week: a strain of malware attempted to infect them with a cryptocurrency miner.

The malicious program spread to a huge swath of machines before Microsoft's Windows Defender antivirus software intervened. Redmond is blaming a Trojan dubbed Dofoil.

The company first noticed the infection attempts around noon Pacific Time through its malware monitoring systems. "Within the next 12 hours, more than 400,000 instances were recorded, 73 percent of which were in Russia. Turkey accounted for 18 percent and Ukraine 4 percent of the global encounters," Microsoft said in a blog post on Wednesday.

The Dofoil Trojan, also known as Smoke Loader, is nothing new; it's been around since at least 2011. However, Tuesday's attack was designed to deliver software that can secretly mine a variety of cryptocurrencies over a computer. "The sample we analyzed mined Electroneum coins," Microsoft said.

How the Trojan spread to so many computers isn't totally clear. But in an email, Microsoft said, "There are a number of ways a system could be compromised. In this case we have seen some correlation with certain file sharing and internet download programs."

That suggests the Trojan may have been delivered through a torrent file, which often deliver bootleg movies or pirated games. Microsoft stopped the Dofoil attack via its free antivirus software, but that could just be the tip of the iceberg.

As security researcher Kevin Beaumont noted on Twitter, Microsoft is "only seeing Defender numbers"—not PCs with other antivirus protection or none at all—so "infections are likely way over half a million," he wrote.

The incident is the latest in a long line of cryptocurrency-related hacks, some of which can generate a fortune for the cybercriminals involved. On the plus side, coin miners tend to do nothing more than hog your PC's computing power, kicking the machine into high gear. But that doesn't mean the attacks are completely harmless. Dofoil, for instance, can also be used to download malicious files to an infected computer.

"We made this a high priority because Dofoil/Smokeloader can drop a lot of payloads," said Microsoft security specialist Jessica Payne in a tweet. "What we did wasn't just to disrupt a 'relatively harmless' mining campaign, but to detect and interrupt a distribution vector that could just as easily have delivered ransomware to those targets."